Five Ways You Help Keep the University Secure Part Three: How to Avoid Phishing

January 14, 2020

by UNH IT Staff

 

This article is part three in our series on Five Ways You Help Keep the University Secure. This month, we discuss how to avoid email phishing attempts.

What is Phishing?

People often confuse phishing and spam, but these two types of unwanted emails are inherently different. While all are annoying, phishing is intrinsically malicious, while spam is harmless. Phishing is cybercrime, and the criminals who create phishing emails are trying to steal your identity, steal your money, or both. 

Cybercriminals act as legitimate companies or organizations and use social engineering to trick message recipients into providing personal data by opening links to infected websites or launching malicious files on their computers. They design phishing emails to deceive people and may either try to trick you into entering your username and password into a fake login page or into downloading and installing malware onto your device. Some types of malware can capture personally identifiable information (PII) such as your social security number, credit card numbers, medical records, educational records, or a username/password combination (aka credentials)

Phishing takes many shapes. While most people think of it as email, criminals also send phishing messages sent via SMS, phone call, or voicemail. No matter the format or design, the goal is the same. Cybercriminals are trying to obtain critical pieces of information that will lead to identity and financial theft.

Why Does it Matter to UNH?

Phishing is one of the most critical cybersecurity threats facing the University. Simply opening an email or attachment, replying to an email, voicemail, or text, or clicking on a link in a phishing message creates a security risk to the University. Phishing endangers the University and creates the following potential security incidents:

  • Identity theft
  • Compromise of personal information
  • Theft or compromise of institutional information
  • Theft or compromise of research
  • Data loss
  • Malware infection
  • Internal phishing attack
  • Ransomware attack

UNH is a gold mine of personal data, and that’s why we are an attractive target. We are custodians of hundreds of thousands of records containing PII. Cybercriminals target UNH because a single piece of stolen PII can fetch thousands of dollars. 

Who Falls for Phishing, anyways?

We all like to think we’re good at spotting malicious messages, but the numbers tell a different story.

  • 1 in 14 users are susceptible to phishing attacks, and 50% of those victims fall for it more than once.
  • Almost half of all data breaches in higher education involve phishing.
  • 90% of phishing attacks are used to steal credentials.
  • Malicious attachments represent 66% of all data breaches.

How to Spot a Phish – Key Indicators 

First and foremost, most phishing emails create a sense of urgency to get a quick response. These messages contain negative consequences (for example “Respond in 24 hours of your email will be shut off”) or positive incentives (i.e., “All employees who sign-in before the end of the day win a free lunch.”) Most phishing sites are only active for 48 hours. Hence, the criminal’s goal is to get you to respond immediately without thinking it through. 

Secondly, most phishing emails also include two or more of the following features:

  • Sender differs from the email address from which it is sent
  • Claims to be a legitimate company but is sent from an email address that is not linked to that company (i.e. claims to be from Amex but is sent from a Gmail account)
  • Does not include branding (UNH or other company logo or email signature)
  • Contains references to non-existent UNH departments or services (i.e., UNH Health Center instead of UNH Health and Wellness)
  • Includes unusual words, syntax, or phrasing
  • Contains direct links to login pages
  • Consists an attachment with a generic file name

It is important to note that phishing emails can also come from internal email addresses. Sometimes a UNH employee student falls for a phishing attack. They provide their username and password to the cybercriminal who then uses those credentials to send phishing emails from a valid UNH email account. Their goal is to repeat the cycle and harvest additional credentials from UNH users.

What to do if you get a Phishing Email

If you receive an email you suspect is phishing:

If you fall for a phishing email, call the UNH IT Service Desk ASAP for assistance.

UNH Information Security Services created a UNH Information Security Training Course in Canvas to teach UNH students, faculty, and staff the best practices to help keep the University Secure, and also to test your knowledge. You can enroll in the course here: https://mycourses.unh.edu/courses/34479 and after completing the module, complete the Don’t Take the Bait Quiz at https://mycourses.unh.edu/courses/34479/quizzes/104630.

This article concludes part three of our series. Next month, we discuss how to handle data with care. 

 

Bookmark and Share

Archive